CLAIMS 

What is claimed is: 

1 . A method of analyzing network communication traffic for potential intrusion activity, 
comprising the steps of: 

assigning packets to a flow; 

collecting flow data from packet headers; 

analyzing collected flow data to assign a concern index value to the flow based 
upon a probability that the flow was not normal for data communications; 

maintaining an accumulated concern index from flows associated with a host; and 
issuing an alarm signal once the accumulated concern index has exceeded an alarm 
threshold value. 

2. The method of claim 1, wherein the flow consists of the packets exchanged between 
two hosts that are associated with a single service. 

3. The method of claim 1, wherein the alarm signal updates a firewall for filtering packets 
transmitted by a host. 

4. The method of claim 1, wherein the alarm signal generates a notification to the network 
administrator. 

5. The method of claim 1, wherein each concern index value associated with a respective 
potential intrusion activity is a predetermined fixed value. 
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6. A method of analyzing network communication traffic for potential intrusion activity, 
comprising the steps of: 

assigning packets to a flow wherein a flow consists of the packets exchanged 
between two hosts that are associated with a single service; 

collecting flow data from packet headers; 

analyzing collected flow data to assign a concern index value wherein each 
concern index value associated with a respective potential intrusion activity is a 
predetermined fixed value; 

maintaining an accumulated concern index from flows associated with a host; and 
issuing an alarm signal once the accumulated concern index has exceeded an alarm 
threshold value. 



8. A method of analyzing network communication traffic for potential intrusion activity, 
comprising the steps of: 

assigning packets to a flow wherein a flow consists of the packets exchanged 
between two Internet Protocol addresses with at least one port remains constant; 
collecting flow data from packet headers; 

analyzing collected flow data to assign a concern index value tp the flow; 

maintaining a host structure containing an accumulated concern index from flows 
associated with the host; and 

issuing an alarm once the accumulated concern index has exceeded an alarm 
threshold value. 

9. The method of claim 8, wherein each concern index value associated with a respective 
potential intrusion activity is a predetermined fixed value. 
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10. A system for analyzing network communication traffic, comprising: 

a computer system operable to classify packets into flows, collect flow data from 
packet header information, analyze collected flow data to assign a concern index value 
wherein each concern index value associated with a respective potential intrusion activity 
5 is a predetermined fixed value, and generate an alarm signal; and 

a communication system coupled to the computer system operable to send packets 
from one host to another host. 

11. A system for analyzing network communication traffic, comprising: 
a processor operable to classify packets into flows, collect flow data from packet 

header information, analyze collected flow data to assign a concern index value wherein 
each concern index value associated with a respective potential intrusion activity is a 
predetermined fixed value, and generate an alarm signal; 

memory coupled to the processor operable to store the flow data; 
a database coupled to processor operable to store log files; and 
and a network interface coupled to the processor operable to monitor network 

traffic. 

12. A method of analyzing network communication traffic for potential intrusion activity, 
20 comprising the steps of: 

analyzing packet header information; 

determining a transport level protocol specifying a format of a data area ; 
issuing an alarm when the transport level protocol is identified as User Datagram 
Protocol and the data segment associated with User Datagram Protocol packet contains 
25 two or less bytes of data. 
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